[ previous ] [ next ] [ threads ]
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.3b2 - broken IPSec tunnels to Cisco PIX
 Date:  Thu, 28 Dec 2006 14:38:21 +0100
IPsec work in two phases:

during this phase the peers exchange the parameters, the policies and the keys.
Each peer will check the identity of its peer-neighbor and negotiate all parameters.
If both peers can agree on a set of parameters and policy SA (Security Association) are created.

This is the tunnel (or the transport) part of IPsec.
Phase-2 encrypt and encapsulate the payload into the tunnel.

What about lifetime:
Actually you run two set of keys, one for each phase.
The lifetime defines how often you re-exchange the keys.
Therefore asking for the "ideal" lifetime value is a matter of how secure your tunnel has to be.
Of course short lifetime will increase the security as keys are often changed but keep in mind that
the process of generating, exchange and check keys is also cpu intensive.

IPsec defines a framework of protocols to encrypt traffic but different vendors applies also
different "interpretation" of it.
Actually the negotiation part of phase-1 is not mandatory and a VPN endpoint can quick-an-dirty
reject non-matching peers.
The PIX does not like mismatching parameters and will either reject the session or simply keep their
Depending on the PIX-OS release you will not get any IPsec or your tunnel will breakdown as soon as
one of the peers will initiate a rekey (since the peer partner does not expect a rekey, based on its
configured lifetime).

Hope this helps.


Jai Ketteridge wrote:
> Whats interesting is that a different PIX setup guide Ive seen says to set
> phase 1 to 28800? And the monowall setup says phase 2 to 14400. Its so
> confusing!
> http://www.isaserver.org/tutorials/Implementing-IPSEC-Site-to-Site-VPN-betwe
> en-ISA-Server-2006-Beta-Cisco-PIX-501.html
> Could someone please explain exactly what phase 1 is, exactly what timings
> are suitable, what phase 2 is and what timings are suitable!
> Thank you everybody!
> JK


Daniele Guazzoni
Senior Network Engineer, CCNP, CCNA

Linux and AMD-x86_64 or do you still with Windows and Intel ?

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.